SEC Rule 38a-2 Means You Can’t Ignore Cyber Governance Anymore
On February 9, 2022, the Securities Exchange Commission (SEC) published a proposal of new rules (Rule 38a-2) for registered investment advisers and funds to address cybersecurity risk management.
The proposed rules are meant to bring the weight of federal law to the recommendations the SEC Division of Examinations (formerly OCIE) has been making since the launch of their Cybersecurity Preparedness Initiative in April 2014. Over the years they have seen the substantial harm that cybersecurity incidents caused by lapses in cybersecurity management can have on investors.
Proposed Rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act require registered investment advisers and investment companies to implement new cybersecurity, disclosure, and reporting practices to protect investors.
The proposed rules include three key requirements:
- Adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks.
- Disclose cybersecurity risks and incidents to an adviser’s clients and prospective clients. Funds also would be required to provide prospective and current investors with cybersecurity-related disclosures.
- Confidentially report significant cybersecurity incidents to the Commission within 48 hours.
The first requirement is the part about risk-based cybersecurity that Agio specializes in for our financial services clients. Let’s look at some of the specifics and provide a breakdown of how Agio can partner with you to meet the SEC’s new rules.
Expertise in Cybersecurity is Expected
The SEC expects you to shoulder this responsibility for cybersecurity risk, but they do not expect you to staff up for it. Instead, they see an advantage in engaging an outside team of experts:
“Advisers and funds may also utilize third-party cybersecurity experts that provide varying perspectives and are well-positioned to understand and assist in managing risks. Multiple perspectives may assist in building a stronger cybersecurity program, and also would allow firms to add expertise as needed in the rapidly changing cybersecurity environment.”
Agio can be your third-party cybersecurity expert. We have a team of cybersecurity, risk management, and SEC compliance professionals who have followed the SEC cyber guidelines since day one and have kept our SEC Cybersecurity Governance Program current to the latest requirements. Program clients start out with a Security Risk Assessment and SEC mock audit to identify and prioritize their risk and to see how they would fare under examination of their cybersecurity practices. Our governance program not only prepares them for an audit but it prepares them to prevent and respond to cyber incidents through monthly governance meetings with an Agio virtual Chief Information Security Officer (vCISO), security awareness training, phishing exercises, penetration tests, security architecture reviews, and tabletop exercises.
With our fully engaged clients we have a tremendous record of success and identifying and managing cybersecurity risk.
Strong Detection & Response is Critical
The proposed rules state that ongoing monitoring is expected to “detect, mitigate, and remediate cybersecurity threats and vulnerabilities with respect to adviser or fund information and systems…This could include scans or reviews of internal systems, externally-facing systems, new systems, and systems used by service providers.”
To meet the need for round-the-clock monitoring of your critical systems and data, Agio created our Extended Detection & Response (XDR) service, applying AI and machine learning to proactively monitor and mitigate cyber-threats 24x7x365.
And the data speaks for itself. Financial services firms who rely on both Agio’s Managed IT and Extended Detection & Response services are 80% less likely to have a vulnerability escalate to a breach.
Your Vendors and Service Providers Matter
The proposed SEC rules make it clear that “an adviser or fund should take into account whether a cybersecurity incident at a service provider could lead to the unauthorized access or use of adviser or fund information or technology or process failures.”
We could not agree more. In fact, in 2021 I wrote about the reality that two-thirds of data breaches exist because of vulnerabilities introduced by third-party vendors.
Agio’s Third Party Cybersecurity Risk Program helps you assess the risk service providers pose to your data, your systems, your investors, and your firm. Through a cybersecurity due-diligence questionnaire and other assessments, we provide you with a tangible report of your service provider’s risk to help meet compliance requirements.
Current Agio clients who subscribe to our SEC Cybersecurity Governance Program, Extended Detection & Response (XDR), and Third-Party Cybersecurity Risk Program already meet – or are well on their way to meeting – these proposed new requirements. Since its inception, the SEC Governance Program has been aligned with the most current SEC guidelines for cybersecurity and has evolved to address new exam priorities put forward by the Division of Examinations.
Our clients are ready. Are you? Contact us to take our Rule 38a-2 Readiness Assessment today.
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.